v0.2.0 · live
CAPFRAME
← leaderboard/rank #77
§ serversandboxfindings.v2

AntV Chart MCP

npm:@antv/mcp-server-chart@0.9.10

Score
D42
Findings
29
Tools
27
Last scan
2026-06-05

Severity breakdown

Critical0
High0
Medium29
Low0
Info0

Worst finding

Tool `generate_area_chart` accepts unconstrained string input

· generate_area_chart

The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

All 29 findings

  1. medium
    Tool `generate_area_chart` accepts unconstrained string input· generate_area_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  2. medium
    Tool `generate_bar_chart` accepts unconstrained string input· generate_bar_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `generate_boxplot_chart` accepts unconstrained string input· generate_boxplot_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `generate_column_chart` accepts unconstrained string input· generate_column_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `generate_district_map` accepts unconstrained string input· generate_district_mapunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `generate_dual_axes_chart` accepts unconstrained string input· generate_dual_axes_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `generate_fishbone_diagram` accepts unconstrained string input· generate_fishbone_diagramunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `generate_flow_diagram` accepts unconstrained string input· generate_flow_diagramunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `generate_funnel_chart` accepts unconstrained string input· generate_funnel_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `generate_funnel_chart` description mentions money but no `money` side-effect is declared· generate_funnel_chartexcessive agency

    Description: "Generate a funnel chart to visualize the progressive reduction of data as it passes through stages, such as, the conversion rates of users from visiting a website to completing a purchase." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  11. medium
    Tool `generate_histogram_chart` accepts unconstrained string input· generate_histogram_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `generate_line_chart` accepts unconstrained string input· generate_line_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `generate_liquid_chart` accepts unconstrained string input· generate_liquid_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `shape`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  14. medium
    Tool `generate_mind_map` accepts unconstrained string input· generate_mind_mapunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `generate_network_graph` accepts unconstrained string input· generate_network_graphunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `generate_organization_chart` accepts unconstrained string input· generate_organization_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `orient`, `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `generate_path_map` accepts unconstrained string input· generate_path_mapunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `generate_pie_chart` accepts unconstrained string input· generate_pie_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `generate_pin_map` accepts unconstrained string input· generate_pin_mapunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `generate_radar_chart` accepts unconstrained string input· generate_radar_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `generate_sankey_chart` accepts unconstrained string input· generate_sankey_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `nodeAlign`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  22. medium
    Tool `generate_sankey_chart` description mentions money but no `money` side-effect is declared· generate_sankey_chartexcessive agency

    Description: "Generate a sankey chart to visualize the flow of data between different stages or categories, such as, the user journey from landing on a page to completing a purchase." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  23. medium
    Tool `generate_scatter_chart` accepts unconstrained string input· generate_scatter_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  24. medium
    Tool `generate_treemap_chart` accepts unconstrained string input· generate_treemap_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  25. medium
    Tool `generate_venn_chart` accepts unconstrained string input· generate_venn_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  26. medium
    Tool `generate_violin_chart` accepts unconstrained string input· generate_violin_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  27. medium
    Tool `generate_waterfall_chart` accepts unconstrained string input· generate_waterfall_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `axisXTitle`, `axisYTitle`, `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  28. medium
    Tool `generate_word_cloud_chart` accepts unconstrained string input· generate_word_cloud_chartunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  29. medium
    Tool `generate_spreadsheet` accepts unconstrained string input· generate_spreadsheetunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `theme`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.